The Whitehall digital unit, based in the Department for Science, Innovation and Technology, has awarded technical support contracts worth £17.5m as it starts process to reobtain recently lost formal trustmark
The Government Digital Service has awarded a pair of multimillion contracts to provide cybersecurity and technical architecture services for the GOV.UK One Login programme – as the project to deliver the new sign-in tool begins work to reattain the system’s recently lost formal trust certification, PublicTechnology can reveal.
On 26 March, the digital unit entered into a two-year £8m deal with PA Consulting “for the provision of technical architecture services… to support GDS’s digital identity programme”. A few days later, the organisation awarded another 24-month engagement related to its digital ID work, with Accenture winning a £9.5m contract to provide “cyber security services”.
The award of the two deals comes after significant recent scrutiny of the security of government’s new digital identity system: One Login. Following reports that top cyber officials had previously warned that the platform was “carrying a high level of risk”, a minister said “these comments are outdated and reflect a view from when the programme was in its infancy in 2023”. It has also been reported by Computer Weekly that a recent red-teaming testing exercise found a significant potential security flaw in the platform.
Meanwhile government’s own online records confirm that One Login recently lost its certification against the formal digital identity standards framework operated the GDS parent organisation the Department for Science, Innovation and Technology.
Launched last September, the UK digital identity and attributes trust framework enables technology providers to obtain a government-endorsed trustmark. Certified digital ID providers can then be searched for via a publicly available online register – a list which, as of a few weeks ago, no longer includes government’s own One Login platform.
PublicTechnology understands that the loss of this trust certification was because a supplier – understood to be tech firm iProov – “allowed their certification to lapse”.
It is also understood that the government contends that the removal of the badge “is not due to any change in product or approach in One Login and [the project is] working to commence recertification”. No timeline for re-attaining the trustmark has been provided.
Related content
- GDS opens GOV.UK Wallet for public bodies
- GDS invites 5,000 users to test GOV.UK App
- GDS and digital ID watchdog meet with vendors to explore ‘how GOV.UK Wallet can work with private sector solutions’
PublicTechnology asked DSIT whether the recent supplier contracts would help address recent security concerns around One Login – and whether the technology’s lack of certification would provide challenges to the rollout in the meantime.
In response, a government spokesperson said: “Protecting the security of government services and the data and privacy of users is paramount. These contracts bring in specialist technical expertise to support that work and the continued development of GOV.UK One Login, helping to ensure it remains secure, reliable and resilient. As you would expect, we carry out regular, rigorous security testing to ensure we have the ability to respond to any potential cyber threats. While we don’t comment on specific operational security matters, One Login continues to meet high standards of cyber security and data protection, in line with best practice and government policy.”
DSIT indicated that both deals relate to sophisticated technical services and that each was subject to a thorough competitive commercial process. Supplier staff brought in to help deliver the new government-wide sign-in system will work alongside civil servants.
The department added that it aims to ensure the security of One Login via round-the-clock “eyes-on monitoring and incident response”.
The concerns about the security of One Login come as GDS works to significantly drive up adoption of the system throughout Whitehall. As of late last year, the tool had been implemented by 50 individual government services, and more than four million people had created an account – although ministers had previously expressed hope that this figure would reach about 30 million by the end of 2024.
To support work to ensure that these additional tens of millions of citizens sign up for One Login in the coming months, GDS last summer signed a six-figure deal with a major public relations firm to help create a “clear drumbeat” of messaging about the One Login platform.
